Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 701814 (CVE-2019-19269) - <net-ftp/proftpd-1.3.6b-r1: NULL pointer dereference when validating the certificate of a client connecting to the server (CVE-2019-19269)
Summary: <net-ftp/proftpd-1.3.6b-r1: NULL pointer dereference when validating the cert...
Alias: CVE-2019-19269
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+ cve]
Depends on:
Reported: 2019-12-02 22:22 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-16 21:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-02 22:22:54 UTC
CVE-2019-19269 (
  An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A
  dereference of a NULL pointer may occur. This pointer is returned by the
  OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL
  installed by a system administrator. The dereference occurs when validating
  the certificate of a client connecting to the server in a TLS client/server
  mutual-authentication setup.
Comment 2 Larry the Git Cow gentoo-dev 2019-12-02 22:52:49 UTC
The bug has been referenced in the following commit(s):

commit e2c36f1aded32d1feee68284b3823a77a027ff04
Author:     Sergei Trofimovich <>
AuthorDate: 2019-12-02 22:52:15 +0000
Commit:     Sergei Trofimovich <>
CommitDate: 2019-12-02 22:52:42 +0000

    net-ftp/proftpd: CVE-2019-19269 fix, bug #701814
    Pick upstream commit be8e1687819cb6 ("Issue #859, #861: Fix handling of
    CRL lookups by properly using issuer for lookups, and guarding against
    null pointers.")
    Package-Manager: Portage-2.3.80, Repoman-2.3.19
    Signed-off-by: Sergei Trofimovich <>

 .../files/proftpd-1.3.6b-tls-crl-crash.patch       |  40 +++
 net-ftp/proftpd/proftpd-1.3.6b-r1.ebuild           | 275 +++++++++++++++++++++
 2 files changed, 315 insertions(+)
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2020-03-15 06:39:53 UTC
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-03-16 21:10:50 UTC
This issue was resolved and addressed in
 GLSA 202003-35 at
by GLSA coordinator Thomas Deutschmann (whissi).